It’s been a busy seven days for security alerts. Google is addressing another actively exploited zero-day in Chrome, and VMware has rolled out key patches for its own set of vulnerabilities.
We’ll also break down the methods behind a new FortiWeb hack and discuss the rising trend of attackers abusing Microsoft Teams for their campaigns. Get up to speed on the latest threats and defenses right here.
Vulnerabilities
Google Chrome Zero-Day Under Active Exploitation
Google has issued an emergency security update for its Chrome browser to address a critical zero-day vulnerability, CVE-2025-6558, that is being actively exploited in the wild. The flaw, which stems from incorrect input validation in the ANGLE and GPU components, was reported by Google’s own Threat Analysis Group.
The update brings Chrome to version 138.0.7204.157/.158 for Windows and Mac, and 138.0.7204.157 for Linux. It also patches two other high-severity vulnerabilities: an integer overflow in the V8 JavaScript engine (CVE-2025-7656) and a use-after-free vulnerability in WebRTC (CVE-2025-7657). Due to the active exploitation, users are strongly urged to update their browsers immediately.
Read more at:
Critical Vulnerabilities Found in VMware Products
On July 15, 2025, Broadcom disclosed four significant vulnerabilities affecting a range of VMware products, including ESXi, Workstation, Fusion, and Tools. These flaws, discovered during the Pwn2Own hacking competition, could allow attackers to escape from virtual machines and execute code on the host system.
The most severe of these, CVE-2025-41236, is an integer-overflow vulnerability in the VMXNET3 virtual network adapter with a CVSS score of 9.3. Other critical flaws include an integer underflow in the Virtual Machine Communication Interface (VMCI) and a heap overflow in the PVSCSI controller. VMware has released patches to address the vulnerabilities, and administrators are advised to apply them promptly.
Read more at:
Node.js Patches High-Severity Flaws on Windows
The Node.js project released security updates on July 15, 2025, to fix two high-severity vulnerabilities impacting versions 20.x, 22.x, and 24.x78. The most notable flaw, CVE-2025-27210, is a path traversal vulnerability that affects Windows-based applications. It allows attackers to use reserved device names like ‘CON’ or ‘PRN’ to bypass path protection mechanisms79. The second vulnerability, CVE-2025-27209, is a Hash Denial of Service (HashDoS) risk in the V8 engine89. Developers are advised to update their Node.js environments to mitigate these risks7.
Read more at:
Oracle’s July Update Fixes Over 300 Vulnerabilities
Oracle has released its quarterly Critical Patch Update for July 2025, addressing 309 vulnerabilities across its product suite. A significant portion of these flaws, 127, can be exploited remotely without requiring user credentials. The update includes patches for nine critical-severity flaws. Key products affected are Oracle Database Server, MySQL, Java SE, and Fusion Middleware. Given the large number of high-severity and remotely exploitable bugs, Oracle strongly recommends that customers apply the security patches without delay.
Read more at:
Vim Text Editor Vulnerable to File Overwriting
A path traversal vulnerability, CVE-2025-53906, has been discovered in the zip.vim plugin bundled with the Vim text editor. This medium-severity flaw allows an attacker to overwrite sensitive files on a user’s system. The attack occurs when a user opens a specially crafted ZIP archive within Vim. The vulnerability affects all versions prior to 9.1.1551. Vim has released a patched version, and users are advised to upgrade to protect their systems.
Read more at:
Google AI Discovers and Foils SQLite Zero-Day
In a notable development, Google announced that its AI framework, “Big Sleep,” identified a critical memory corruption flaw in the widely used SQLite database engine before it could be exploited. The vulnerability, CVE-2025-6965, could allow an attacker to trigger an integer overflow by injecting malicious SQL statements. Google stated that the flaw was known to threat actors and was at imminent risk of being used in attacks. This marks what Google believes is the first instance of an AI agent predicting and helping to prevent the exploitation of a zero-day vulnerability in the wild. The flaw affects SQLite versions prior to 3.50.2.
Read more at:
Cisco Warns of Critical Flaw in Identity Services Engine
Cisco has issued a security advisory for a critical vulnerability, CVE-2025-20337, in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). The flaw carries the maximum possible CVSS score of 10.0, as it allows an unauthenticated, remote attacker to execute arbitrary code with the highest level of privileges (root) on an affected device. The vulnerability is in a specific API and is due to insufficient input validation. It affects ISE versions 3.3 and 3.4. Cisco has released software updates and advises administrators to patch their systems immediately, as there are no workarounds.
Read more at:
Unpatched SharePoint Zero-Day Exploited in Attacks
A critical zero-day remote code execution (RCE) vulnerability in Microsoft SharePoint, CVE-2025-53770, is being actively exploited in attacks against on-premises servers. Microsoft has confirmed the active attacks, which began around July 18, 2025, and have reportedly compromised dozens of servers. The flaw is a variant of a bug demonstrated at the Pwn2Own hacking contest19. Currently, no patch is available, but Microsoft is developing a security update. The vulnerability does not affect SharePoint Online customers1921.
Read more at:
CrushFTP Zero-Day Allows Server Hijacking
A zero-day vulnerability in the CrushFTP enterprise file transfer server is being actively exploited, allowing attackers to gain administrative access to servers. The vulnerability, CVE-2025-54309, is an unprotected alternate channel flaw that can be leveraged by a remote, unauthenticated attacker. Exploitation was first detected on July 18, 20252224. CrushFTP believes attackers discovered the bug by reverse-engineering recent patches. The company has stated that the latest versions of its software already contain a fix for the issue2223.
Read more at:
Threats
Ransomware Operators Expand Attacks to Linux and VMware Systems
Ransomware gangs are strategically shifting their focus from Windows to target Linux and VMware environments, which are prevalent in enterprise and cloud infrastructures1. With Linux powering the vast majority of public cloud workloads and top web servers, cybercriminals are developing specialized ransomware to exploit these systems.
Groups like Pay2Key and Helldown are updating their tools to target Linux, while others use advanced “fileless” techniques that are difficult to detect1. These methods leverage legitimate system tools to execute malicious code directly in memory, bypassing traditional antivirus solutions that are often not as robust on non-Windows systems. This evolution in tactics highlights a critical blind spot in the security of cloud and DevOps environments. Read More
New “Dark 101” Ransomware Disables Recovery Tools
A new ransomware variant named “Dark 101” has been identified, featuring a weaponized .NET binary designed to cripple system recovery efforts. This malware encrypts user files and then takes steps to prevent system restoration by disabling Windows recovery modes and blocking access to the Task Manager. To evade detection, Dark 101 uses tactics like impersonating legitimate system processes and delaying its execution to fool automated sandbox analysis. The attackers typically demand a ransom of around $1500 in Bitcoin to decrypt the files. Read More
Albemarle County Suffers Major Ransomware Attack
A ransomware attack on Albemarle County, Virginia, has compromised the sensitive personal information of county residents, local government employees, and public school staff. The breach exposed data such as names, Social Security numbers, driver’s license numbers, and passport details. The attack, which took place in June, also caused significant disruptions to the county’s phone and IT systems. In response, officials have notified the FBI and are offering affected individuals 12 months of free identity monitoring services. Read More
“Dark Partners” Hacking Group Drains Crypto Wallets with Fake Sites
A cybercrime operation known as Dark Partners is using a large network of over 250 malicious websites to steal cryptocurrency. These sites impersonate legitimate AI tools, VPN services, and software brands to trick users into downloading infostealer malware. The group uses different malware for different operating systems, deploying Poseidon Stealer on macOS and PayDay Loader on Windows systems to exfiltrate crypto wallet data and other sensitive credentials. Read More
Chinese State-Sponsored Hackers Breached US National Guard
The U.S. Department of Homeland Security confirmed that a Chinese state-sponsored hacking group, known as Salt Typhoon, remained undetected within the U.S. Army National Guard’s network for nine months. During this time, the attackers stole sensitive data, including administrator credentials, network diagrams, and the personally identifiable information (PII) of service members. The group is part of a larger collective tasked with infiltrating U.S. critical infrastructure to establish footholds for potential future conflicts. Read More
Infostealers Spread Through Cracked Software
Cybercriminals are commonly distributing information-stealing malware by bundling it with pirated software and key generators (“cracks”). Users seeking to use this software are often instructed to disable their antivirus programs, creating an opportunity for malware like RedLine Stealer and RisePro to infect their systems without being detected. Once installed, these infostealers are designed to steal sensitive information such as passwords, financial details, and cryptocurrency wallet credentials. Read More
Hackers Weaponize SVG Files to Bypass Security
Threat actors are increasingly using Scalable Vector Graphics (SVG) files as a vector for cyberattacks. Because SVG files can contain scripts and are often treated as simple images, they can bypass email security filters that block more suspicious file types. Attackers embed malicious JavaScript within these files, a technique known as “HTML smuggling,” to deliver malware like the Agent Tesla Keylogger and XWorm RAT. When a victim opens the weaponized SVG file in a web browser, the embedded script executes, typically prompting a download of the malicious payload. Read More
Cyber Attacks
North Korean Hackers Use Fake Zoom Invites to Target Crypto Firms
Hackers linked to North Korea are using sophisticated social engineering tactics, including fake Zoom meeting invitations and AI-generated deepfakes, to compromise employees at cryptocurrency and Web3 companies. The objective is to deceive victims into installing malware, such as the “NimDoor” backdoor for macOS, designed to steal cryptocurrency and other sensitive information3. The attack chain often begins with a fraudulent message on platforms like Telegram or a fake Calendly invitation, which directs the target to a counterfeit Zoom meeting where they are prompted to install a malicious “update” or “extension”.
Read more at:
Malicious NPM Packages Linked to North Korean “Contagious Interview” Campaign
North Korean threat actors have expanded their “Contagious Interview” campaign by publishing dozens of malicious packages on the npm (Node Package Manager) registry. Recently, 67 new packages were identified, designed to compromise developer systems and exfiltrate data, with a particular focus on cryptocurrency wallets. These supply chain attacks frequently leverage social engineering, with hackers posing as recruiters on professional networking sites like LinkedIn to engage with software developers. The malicious packages employ multi-stage, obfuscated JavaScript to download and run additional harmful payloads from remote servers.
Read more at:
Japanese Companies Targeted in Widespread Cyberattacks
Japanese corporations have recently been the focus of significant cyberattacks. In one campaign, 46 companies and organizations, including major entities like Japan Airlines and MUFG Bank, were hit with distributed denial-of-service (DDoS) attacks. In a separate, large-scale incident, the “WannaCry” ransomware impacted about 600 Japanese firms, compromising around 2,000 computers at companies such as Hitachi and Nissan.
Read more at:
Critical Fortinet FortiWeb Vulnerability Actively Exploited
A critical SQL injection vulnerability in Fortinet’s FortiWeb web application firewall (WAF) is being actively exploited by attackers. The flaw, identified as CVE-2025-25257, holds a severity score of 9.6 out of 10 and permits an unauthenticated attacker to execute unauthorized code or commands remotely. Following its discovery, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, emphasizing the urgent need for patching. The public release of proof-of-concept (PoC) code has accelerated the weaponization of this exploit.
Read more at: and
Microsoft Teams Calls Weaponized to Deploy Ransomware
Cybercriminals are now using Microsoft Teams calls as a vector to deliver the Matanbuchus ransomware loader. In these attacks, threat actors impersonate IT support personnel during Teams video calls and use social engineering to persuade victims to execute malicious PowerShell scripts through the Quick Assist feature. This method cleverly circumvents conventional email security filters by exploiting the inherent trust users place in business collaboration tools. The latest version, Matanbuchus 3.0, operates as a sophisticated Malware-as-a-Service (MaaS) platform.
Read more at:
CitrixBleed 2 Flaw Under Active Exploitation
A critical memory disclosure vulnerability known as “CitrixBleed 2” (CVE-2025-5777) is affecting Citrix NetScaler ADC and Gateway systems and is being actively exploited in the wild. The flaw allows attackers to hijack active user sessions and steal credentials without authentication. Evidence suggests exploitation began in mid-June, with at least 100 organizations already compromised, while thousands of other instances remain vulnerable. CISA has added this vulnerability to its KEV catalog, mandating immediate patching for federal agencies.
Read more at:
DNS Vulnerabilities Create “Nation-State Level Spying” Risks
Security researchers have uncovered a new category of vulnerabilities within major DNS-as-a-Service (DNSaaS) providers that could enable attackers to conduct “nation-state level spying” on corporate networks. By simply registering a domain, attackers can hijack a provider’s nameserver to intercept internal dynamic DNS traffic from thousands of organizations, including Fortune 500 companies and government agencies. The intercepted data includes sensitive information such as computer names, employee details, and internal IP addresses, which can be used to map and breach networks.
Read more at:
Microsoft Entra ID Flaw Allows Privilege Escalation
A significant vulnerability has been found in Microsoft Entra ID (formerly Azure Active Directory) that allows a user with existing privileged access to escalate their permissions to become a Global Administrator. This would grant the attacker complete control over an organization’s entire cloud environment, including access to emails and all applications connected to Azure. The vulnerability stems from weaknesses in the platform’s authentication mechanisms and role-based access control (RBAC), which can be exploited by manipulating API calls to bypass security protocols.
Read more at:
The post Weekly Cybersecurity Newsletter: Chrome 0-Day, VMware Flaws Patched, Fortiweb Hack, Teams Abuse, and More appeared first on Cyber Security News.
